Issue
ModSecurity needs to be installed on a server with Nginx and Imunify360 stand-alone.
Environment
- Imunify360 stand-alone.
- Nginx
- ModSecurity 3
- CentOS or AlmaLinux OS
Solution
The following example applies to the CentOS 7 server. Based on the existing configuration, steps may differ. Make sure that the Nginx configuration can be restored if it fails.
1. Install the necessary packages to compile ModSecurity:
# yum install gcc-c++ flex bison yajl yajl-devel curl-devel curl GeoIP-devel doxygen zlib-devel
# yum install libtool lmdb lmdb-devel libxml2 libxml2-devel ssdeep ssdeep-devel lua lua-devel pcre-devel
2. Download and compile ModSecurity:
# cd /opt
# git clone --depth 1 -b v3.0.12 --single-branch https://github.com/SpiderLabs/ModSecurity
# cd /opt/ModSecurity/
# git submodule init
# git submodule update
# ./build.sh
# ./configure
# make
# make install
Make sure the module is available:
# ls -la /usr/local/modsecurity/lib/libmodsecurity.so
lrwxrwxrwx 1 root root 23 Jan 13 16:36 /usr/local/modsecurity/lib/libmodsecurity.so -> libmodsecurity.so.3.0.4
3. Check the installed Nginx version:
# nginx -v |& grep -oP '/\K.*'
1.18.0
4. Download and compile ModSecurity Nginx connector for installed Nginx version:
# cd /opt
# git clone --depth 1 https://github.com/SpiderLabs/ModSecurity-nginx.git
# wget https://nginx.org/download/nginx-1.18.0.tar.gz -O nginx.tar.gz
# tar zxvf nginx.tar.gz
# cd /opt/nginx-1.18.0/
# ./configure --with-compat --add-dynamic-module=../ModSecurity-nginx
# make modules
# cp objs/ngx_http_modsecurity_module.so /etc/nginx/modules/
Make sure the module is available:
# ls -la /etc/nginx/modules/ngx_http_modsecurity_module.so
-rwxr-xr-x 1 root root 229672 Jan 13 16:53 /etc/nginx/modules/ngx_http_modsecurity_module.so
5. Add connector module to Nginx config after the pid line:
# head /etc/nginx/nginx.conf
# For more information on configuration, see:
# * Official English Documentation: http://nginx.org/en/docs/
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;
load_module modules/ngx_http_modsecurity_module.so;
# Load dynamic modules. See /usr/share/doc/nginx/README.dynamic.
6. Setup realip module:
# cat /etc/nginx/conf.d/realip.conf
real_ip_header X-Forwarded-For;
set_real_ip_from 127.0.0.1;
set_real_ip_from ::1;
7. Setup modsec module:
# cat /etc/nginx/modsec.conf
SecAuditEngine RelevantOnly
SecConnEngine Off
SecRuleEngine On
SecAuditLogFormat JSON
SecAuditLog /var/log/nginx/modsec_audit_log
8. Include Imunify360 mod_security config:
# mkdir -p /etc/sysconfig/imunify360/generic/
# touch /etc/sysconfig/imunify360/generic/modsec.conf
# cat /etc/nginx/conf.d/zz_imunify360_modsec.conf
modsecurity on;
modsecurity_rules_file /etc/nginx/modsec.conf;
modsecurity_rules_file /etc/sysconfig/imunify360/generic/modsec.conf;
9. Test Nginx config and restart:
# nginx -t
# systemctl restart nginx
Important! Repeat steps 3 and 4 each time when Nginx will be updated or reinstalled on the server, to avoid possible compatibility issues.
Comments
0 comments
Please sign in to leave a comment.